Analysis Overview
SHA256
a5c474972a6ac68a91e311ba343163c82cd7762e663ddf5b030c5bae06d1e9eb
Threat Level: Known bad
The file fb1badc1eca5035ae1b98513d0cfef32 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 17:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 17:05
Reported
2023-12-24 08:33
Platform
win7-20231215-en
Max time kernel
153s
Max time network
130s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\XNj\perfmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD5\osk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\XNj\perfmon.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD5\osk.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\\tYhhRx\\dccw.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\XNj\perfmon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\CD5\osk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1240 wrote to memory of 2640 | N/A | N/A | C:\Windows\system32\perfmon.exe |
| PID 1240 wrote to memory of 2640 | N/A | N/A | C:\Windows\system32\perfmon.exe |
| PID 1240 wrote to memory of 2640 | N/A | N/A | C:\Windows\system32\perfmon.exe |
| PID 1240 wrote to memory of 2056 | N/A | N/A | C:\Users\Admin\AppData\Local\XNj\perfmon.exe |
| PID 1240 wrote to memory of 2056 | N/A | N/A | C:\Users\Admin\AppData\Local\XNj\perfmon.exe |
| PID 1240 wrote to memory of 2056 | N/A | N/A | C:\Users\Admin\AppData\Local\XNj\perfmon.exe |
| PID 1240 wrote to memory of 2916 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 1240 wrote to memory of 2916 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 1240 wrote to memory of 2916 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 1240 wrote to memory of 2920 | N/A | N/A | C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe |
| PID 1240 wrote to memory of 2920 | N/A | N/A | C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe |
| PID 1240 wrote to memory of 2920 | N/A | N/A | C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe |
| PID 1240 wrote to memory of 1364 | N/A | N/A | C:\Windows\system32\osk.exe |
| PID 1240 wrote to memory of 1364 | N/A | N/A | C:\Windows\system32\osk.exe |
| PID 1240 wrote to memory of 1364 | N/A | N/A | C:\Windows\system32\osk.exe |
| PID 1240 wrote to memory of 1496 | N/A | N/A | C:\Users\Admin\AppData\Local\CD5\osk.exe |
| PID 1240 wrote to memory of 1496 | N/A | N/A | C:\Users\Admin\AppData\Local\CD5\osk.exe |
| PID 1240 wrote to memory of 1496 | N/A | N/A | C:\Users\Admin\AppData\Local\CD5\osk.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb1badc1eca5035ae1b98513d0cfef32.dll,#1
C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
C:\Users\Admin\AppData\Local\XNj\perfmon.exe
C:\Users\Admin\AppData\Local\XNj\perfmon.exe
C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe
C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
C:\Users\Admin\AppData\Local\CD5\osk.exe
C:\Users\Admin\AppData\Local\CD5\osk.exe
Network
Files
memory/1796-0-0x0000000000390000-0x0000000000397000-memory.dmp
memory/1796-1-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-4-0x0000000077516000-0x0000000077517000-memory.dmp
memory/1240-5-0x0000000002A60000-0x0000000002A61000-memory.dmp
memory/1240-8-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-9-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-10-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-13-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-15-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-19-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-22-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-23-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-25-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-24-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-26-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-27-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-29-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-32-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-33-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-36-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-37-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-38-0x0000000002A40000-0x0000000002A47000-memory.dmp
memory/1240-34-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-35-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-31-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-30-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-28-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-46-0x0000000077721000-0x0000000077722000-memory.dmp
memory/1240-45-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-47-0x0000000077880000-0x0000000077882000-memory.dmp
memory/1240-21-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-20-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-17-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-18-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-16-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-14-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-11-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-12-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1796-7-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-56-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-62-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/1240-64-0x0000000140000000-0x00000001402C6000-memory.dmp
C:\Users\Admin\AppData\Local\XNj\perfmon.exe
| MD5 | 3eb98cff1c242167df5fdbc6441ce3c5 |
| SHA1 | 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69 |
| SHA256 | 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081 |
| SHA512 | f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35 |
C:\Users\Admin\AppData\Local\XNj\credui.dll
| MD5 | b5d33f82005d2c6139b776fce209b014 |
| SHA1 | 75847efb949f21e53d1760a76ea923fc2b50b137 |
| SHA256 | ced60dc29e70a6c80c1b9126f6e163055f7fe52b15d6bf5abb03d62252d54b6d |
| SHA512 | b1b54d6581c64a85876d6aaa93c50d12561226587720e50eac495a70d5892cef62697765583ec19bee9919a9ad197491e78c743af61d8241798a9f57806ab146 |
\Users\Admin\AppData\Local\XNj\credui.dll
| MD5 | 7234ee8c6a1282f42cd71b4f0b6135bb |
| SHA1 | a0a46155c8289822877fd4fc05995ffde0d67d52 |
| SHA256 | 6e76e78cc0d106fd1ef5f39cfadd6a54b11c9c2708c3c55714ca56c098f15d89 |
| SHA512 | 84317c8c9c00bbfbc821d3131f2a73cfedd05c4b34430701c2bc4002e50ef3ed8d143cd5ac67ca2c6a23d50df3ea82680d15afb252432f8e6010e725889380bf |
memory/2056-75-0x0000000140000000-0x00000001402C7000-memory.dmp
memory/2056-79-0x0000000140000000-0x00000001402C7000-memory.dmp
memory/2056-74-0x0000000000280000-0x0000000000287000-memory.dmp
C:\Users\Admin\AppData\Local\XNj\perfmon.exe
| MD5 | 06d9864e20223f24dd313e9508beedfb |
| SHA1 | a08e5bdd5ebb7e92216944621f2c8ab02e933927 |
| SHA256 | 23d601e7cd7f6e938d398402ec3590aaac5e62a092bb69c330046b5438a8474a |
| SHA512 | ea04d53fb1e5e3cb7000ec23976366170f90a73df7dac74a0243290f5204dc33dde8bf592d75576ed9f3d3e5efe56fbcafc3ff0f8f516243d2405df88dcde0db |
C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe
| MD5 | 423199194601c75041c17f11d75be503 |
| SHA1 | c04b110a4800d018ca1af40c1624cca9360d2256 |
| SHA256 | bfc48f22aaa40519a95148042296b4ffc3deea9e5c5b7c76ade55ff42128598f |
| SHA512 | f6547d5db1dd7aae483e5aa91a54398ca28ed90fb68fa3437daefc9a47e4504bf85ca143e5366bbbde518efc0ed7a7af88f7413c0faa08fd8048ccafe9364b63 |
\Users\Admin\AppData\Local\Kn7CY2il\dxva2.dll
| MD5 | 25b6920fe8f99dadf02dcef4e965c469 |
| SHA1 | b65addde11f4ae02aeb716f51c9c69d0b43521be |
| SHA256 | 2946d1a6e2a4a1c1d1ac9f58389a79a6263820ed442c511938463b9e70e84076 |
| SHA512 | 17a1d55b5c3b6e276fd3ee7621c029386b95fa4b6a6ef230ead6d785bbf805f27ca8f8588037ce7e77f546e86e2750d78d625bbcdb3b1bd151780aa168c412ca |
C:\Users\Admin\AppData\Local\Kn7CY2il\dxva2.dll
| MD5 | f010a9e86036d89e1ea908e68f039462 |
| SHA1 | 00e8ec37ee5febe2699b63a9a37e212e74e7d2cc |
| SHA256 | fb35d8df0dbf287b8b97e933806b19436e40573f71f9a4ebe63e1da53c170b3b |
| SHA512 | 3b347f8d1a4e4e7a64bc45e3d3e0b80554718624c56cf183f651e45a338e20f571500e4ac2961cd06c977cf51a46f32945751e2ec2446d5c135b213b78c96dc3 |
\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe
| MD5 | debdc8a1916441f58d28a87eabc1c8e7 |
| SHA1 | 7b2ed6eae33118de2355add9a3c9d5204e07ce62 |
| SHA256 | 42542c4de7ec72c2048965fb1e0e449ab2deb104dc662e72e69389f6380c2569 |
| SHA512 | ed94d07edcfd6a880d3a3e00c91001a4704c563e70fddf15df7d92aaf3441cf59953ad8cc92d43277c81f318cad80730e1fe183a4dff3785cac11ca2ac01419a |
memory/2920-97-0x0000000140000000-0x00000001402C7000-memory.dmp
C:\Users\Admin\AppData\Local\Kn7CY2il\dccw.exe
| MD5 | 1f137257c90f4157a0e7e3bd9e23ace7 |
| SHA1 | 5a3aeb6a77610c370d14636575051b680f26b49c |
| SHA256 | 2eb89efa073d8f5166255273eecd31f6f4cbdc2384ea4dcc3776dc94a54fa33f |
| SHA512 | 26127cfaeddcc442dd0d743a2ef2800209d07d70173259d3723458520e120485a73619cbf4d3b0312e195c873052efc257c599f4798d182fb86afdcdc80ec3ba |
C:\Users\Admin\AppData\Local\CD5\dwmapi.dll
| MD5 | 4871ac84db39df25c4fa2a90ce3389cf |
| SHA1 | 52c31ef73cc5f7105a2300c73a8f80a3d657a370 |
| SHA256 | 622a78ebfdc1a052de9519d2c61be74c190951ad46fa16aa8f4d3ff8a7adc176 |
| SHA512 | a7ce8a92a857733edca1b7c3f1a65174f372a3a36c63411cd5b4974240d460f57764c9b9f2421da29cbe0be06cd69fd58073c6c06cf64251bee1b12ffbba8cab |
C:\Users\Admin\AppData\Local\CD5\osk.exe
| MD5 | 80a8659bfe6ca1fa40eb00225ed45725 |
| SHA1 | 6cf3002eb06919d115169e1f998cb986f6caf731 |
| SHA256 | b2e24119135aef077b0849250901cf25684bb4b4641e8ef157a0e3bb3bcb3b19 |
| SHA512 | a1791844f689805e0c1b57a6a9ba9a1f5b9f2bc5af4b29f2449800aedde9fcdabf77a0543764e0cb791c8e71d0ca98c2ddd43c0e870cc090001b969e1343d56b |
\Users\Admin\AppData\Local\CD5\dwmapi.dll
| MD5 | 86963b4bdf19693de34ceb0863ef8fdd |
| SHA1 | baa51faae22096aaf2840b98765c5352f96eab46 |
| SHA256 | 34ce8bf1d2fdcc17b024f924e116e75b8ef83d65c2ac7022b9525e4da8f8d4a0 |
| SHA512 | 336dec509008a99fe00591567a21cef3e206da0ac26bc3e95dbb2985166ed64afda1bf5b7c4b323afb0ff2558f3da34455e64129d21a3642bb3a7b4d875c20da |
\Users\Admin\AppData\Local\CD5\osk.exe
| MD5 | 28e17df8e1150cf5fefa03e35bfd16e5 |
| SHA1 | f4af067e8d7e10370208b340a684972be9e4cab1 |
| SHA256 | ea224589e3aaffc048939068999f9aad79ace348e0391d37f025d59bce61da48 |
| SHA512 | 8005a34a20e046f41d687f46d153ef853497dd888a07ec0b116e1fe7635965dc79dd41bc81b48f4fe71a8fb5ecbb2df673f67adb3684a5160625d83c5f061cdd |
memory/1496-116-0x0000000000190000-0x0000000000197000-memory.dmp
C:\Users\Admin\AppData\Local\CD5\osk.exe
| MD5 | 0c9d499f2d6b50da10187633d0783bea |
| SHA1 | c4beffc25de6b57f7f1d1873721cdabe344d7461 |
| SHA256 | b720bddfddb0a3381b063e87d4724ac1ae5251d8f7d8d4b7f5c732a68b55c05e |
| SHA512 | a9c386b717bca5c4e9e9d379113f51fb50a771546c072ee9162ecba0cbd424bec802f6041a5288a764cd261acf3fd6b21819b8f0f0893fcdc5a969b46e7cd602 |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\SSH9HALG\Y7VPhZ\osk.exe
| MD5 | 0fa7ce2eceda9893bb82a9305111d451 |
| SHA1 | bdb3b79d8bf7f8f50be59eb4a899daba5d9c9a5c |
| SHA256 | 33426059111f000ba8be77ec2a43a3bbcbfe10f388b27cefca4cfdcca415b42d |
| SHA512 | 81008b6999cc678013f344487b27962c5a8d2b8448f0984786d0f293322fd1d193f34f5c680d62906dbb7d126edc9190acf62b212b869e8a9390e270f4c91671 |
memory/1240-139-0x0000000077516000-0x0000000077517000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | a4703b869afaedd5d6f9253b0e1e43ac |
| SHA1 | ae37bacb154982ba50a776e0ad859fd21310ec76 |
| SHA256 | 6673372c486953b7ffcbcc73f2986c407e74dc87dfb197b0f221f58d61671593 |
| SHA512 | fa74cfb09f7315d18b490e50056cdece3ef3fd3f68a71900a3cd4393faf57cbc4a8dbf2838ac9a55b71a236a7bf41fb7d2341beba39086cee6bb0ce267b8539d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\KqjAkpkG5F\credui.dll
| MD5 | a7addbf8c2395e11314cba64ab287da9 |
| SHA1 | 8635fa24ab4722a2f4543de1f10ca21f819d5b71 |
| SHA256 | 21e117841fa3941c6d93c333e5ba63bc5ac6937eddeccefd2555f10644f4338f |
| SHA512 | 99172ab80ccec325af96e8a3a93dc936ccac1f043ad243aeb4a1ec5943059d4d1def36b908aa87e8c66e08791109adfc09e540aab3e973002e9d849365d0fb67 |
C:\Users\Admin\AppData\Roaming\Identities\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\tYhhRx\dxva2.dll
| MD5 | 029956aacdaed94c84e4304ff879b6d8 |
| SHA1 | 9690a6b5a53d9ab36dc6f4bdaeb7b4b076af5cb0 |
| SHA256 | 0444c3899250a8618c79bf389cf17ab99c388e34d90fab16492584d1dc6eb822 |
| SHA512 | 1a8c558aae2bb9cdcc8734b9475c1aea9ce4b524d63b55753cbaebe9e42dc7a5d45bb669f7a0ea04f79795c92b881904eb187e2843913f3521e51ed58161d2d0 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\SSH9HALG\Y7VPhZ\dwmapi.dll
| MD5 | df6f13d91f2eb1b37179abd79da2e5c5 |
| SHA1 | 8c6cb2c0d0294006a78f465cab45a7d7a48b830a |
| SHA256 | b3433d54b3c3ddf0a09db041963471f2f30bb527bc5ead670e410a1111dd6796 |
| SHA512 | 5f0256e7c6f9e79e354bcc28b270eee43ee0ae422f41a9ec27ba80e79b0f9207962695f923a6709e1211f2d0e9898d1cf5d398c7efdd7e765412f7498133ba65 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-22 17:05
Reported
2023-12-24 08:33
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\RrnBa\SnippingTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TzCq8\Dxpserver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\lfiHlTu\DWWIN.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\RrnBa\SnippingTool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TzCq8\Dxpserver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\lfiHlTu\DWWIN.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\9K\\DXPSER~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\RrnBa\SnippingTool.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\TzCq8\Dxpserver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\lfiHlTu\DWWIN.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 2148 | N/A | N/A | C:\Windows\system32\SnippingTool.exe |
| PID 3492 wrote to memory of 2148 | N/A | N/A | C:\Windows\system32\SnippingTool.exe |
| PID 3492 wrote to memory of 4516 | N/A | N/A | C:\Users\Admin\AppData\Local\RrnBa\SnippingTool.exe |
| PID 3492 wrote to memory of 4516 | N/A | N/A | C:\Users\Admin\AppData\Local\RrnBa\SnippingTool.exe |
| PID 3492 wrote to memory of 400 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 3492 wrote to memory of 400 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 3492 wrote to memory of 1472 | N/A | N/A | C:\Users\Admin\AppData\Local\TzCq8\Dxpserver.exe |
| PID 3492 wrote to memory of 1472 | N/A | N/A | C:\Users\Admin\AppData\Local\TzCq8\Dxpserver.exe |
| PID 3492 wrote to memory of 3524 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 3492 wrote to memory of 3524 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 3492 wrote to memory of 3948 | N/A | N/A | C:\Users\Admin\AppData\Local\lfiHlTu\DWWIN.EXE |
| PID 3492 wrote to memory of 3948 | N/A | N/A | C:\Users\Admin\AppData\Local\lfiHlTu\DWWIN.EXE |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb1badc1eca5035ae1b98513d0cfef32.dll,#1
C:\Users\Admin\AppData\Local\RrnBa\SnippingTool.exe
C:\Users\Admin\AppData\Local\RrnBa\SnippingTool.exe
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Users\Admin\AppData\Local\lfiHlTu\DWWIN.EXE
C:\Users\Admin\AppData\Local\lfiHlTu\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Users\Admin\AppData\Local\TzCq8\Dxpserver.exe
C:\Users\Admin\AppData\Local\TzCq8\Dxpserver.exe
C:\Windows\system32\SnippingTool.exe
C:\Windows\system32\SnippingTool.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.194:80 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 52.111.229.19:443 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 88.221.134.18:80 | tcp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 87.248.204.0:80 | tcp | |
| GB | 87.248.204.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 87.248.204.0:80 | tcp | |
| GB | 87.248.204.0:80 | tcp | |
| GB | 87.248.204.0:80 | tcp | |
| GB | 87.248.204.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.16.110.114:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.16.110.114:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| N/A | 96.16.110.114:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| N/A | 96.16.110.114:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 96.17.178.194:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 88.221.135.211:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.135.217:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 87.248.204.0:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 87.248.204.0:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 87.248.205.0:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| N/A | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 88.221.134.18:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp |
Files
memory/2024-0-0x000001816F020000-0x000001816F027000-memory.dmp
memory/2024-1-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-5-0x00007FFFD5D1A000-0x00007FFFD5D1B000-memory.dmp
memory/3492-10-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-11-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-16-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-20-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-25-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-30-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-35-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-37-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-38-0x0000000000A70000-0x0000000000A77000-memory.dmp
memory/3492-45-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-46-0x00007FFFD5F80000-0x00007FFFD5F90000-memory.dmp
memory/3492-57-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-55-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/4516-72-0x0000000140000000-0x00000001402C7000-memory.dmp
memory/4516-67-0x0000000140000000-0x00000001402C7000-memory.dmp
memory/4516-66-0x00000154196E0000-0x00000154196E7000-memory.dmp
memory/1472-89-0x0000000140000000-0x00000001402C7000-memory.dmp
memory/3948-106-0x0000000140000000-0x00000001402C7000-memory.dmp
memory/3948-102-0x000001A50F4F0000-0x000001A50F4F7000-memory.dmp
memory/1472-85-0x000001A4FFFA0000-0x000001A4FFFA7000-memory.dmp
memory/3492-36-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-34-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-33-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-32-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-31-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-29-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-28-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-27-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-26-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-24-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-23-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-22-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-21-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-19-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-18-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-17-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-15-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-13-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-14-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-12-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-9-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/2024-8-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-7-0x0000000140000000-0x00000001402C6000-memory.dmp
memory/3492-4-0x0000000002920000-0x0000000002921000-memory.dmp